CoreGuard acts as the last line of defense, protecting downstream endpoints
The Largest Software Supply Chain Attack Ever
To say 2020 was a tumultuous year is an understatement. The seemingly never-ending news cycle included a global pandemic, a history-making US presidential election, and a steady slew of cyberattacks targeting private citizens, businesses, and government organizations alike.
The most alarming cyberattack was the SolarWinds attack of late 2020. This attack was credited to the Russian SVR hacking group, known as Cozy Bear, which also played a hand in the DNC hack and disinformation campaign of 2016. FireEye, a US-based cybersecurity firm and victim, first detected the attack and sounded the alarm on December 8th, 2020.
After reviewing 50,000 individual lines of source code after discovering their own hack, FireEye determined there was a backdoor in the latest update of the SolarWinds® Orion® IT management software. This meant that it wasn’t just FireEye that was vulnerable, but any SolarWinds customers that also downloaded the same software update. Ultimately, 18,000 SolarWinds customers were impacted, including federal government agencies, like the Pentagon, the Department of Homeland Security, and the State Department, as well as commercial companies, like Cisco and Microsoft.
Software supply-chain attacks are attractive attack vectors due to their ability to jump right over traditional perimeter defense mechanisms, like firewalls and intrusion detection systems. This is because software supply chain attacks are well-hidden within legitimately code-signed software updates from trusted suppliers. The more commonly used a supplier is, the more potential targets the attacker can reach. Rather than having to create different attacks targeting the Pentagon, the Department of Defense, Microsoft, Cisco, or any of the other major players impacted by SolarWinds, the attacker had to execute one attack against SolarWinds and then simply wait for each of their intended end targets to download the corrupted Orion software.
SolarWinds® Orion® Platform
Supply chain attack, corrupting an Orion update & impacting 18K+ customers
Massive data breach of highly sensitive corporate secrets & critical government data
Gain leverage over govt officials, obtain detailed plans & access medical, technical, and security secrets
Buffer overflow, code injection, data exfiltration, & data modification
How the Attack was Executed
Exactly when SolarWinds was first compromised is unknown, but there are indications that it was as early as October 2019. Using compromised credentials, the attackers inserted the malware known as SUNSPOT to create a SUNBURST backdoor into the build and release process of the SolarWinds® Orion® IT management software. After the corrupted software update was installed by 18,000 of their customers, the malware performed reconnaissance, received commands, and offloaded info to attacker-controlled servers.
The attackers were extremely strategic in their methods and timing. They took advantage of both the COVID-19 pandemic and the US presidential election as distractions. In addition, they engineered the attack to be undetected by using servers located in the US to execute the attack, taking advantage of the NSA’s prohibition against domestic surveillance.
It also avoided discovery by the cyberattack detection system deployed across all government agencies, called Einstein. However, this is in large part due to the fact that Einstein is designed only to detect pieces of known malware being used in a new way, and is not designed to detect new or novel malware.
In addition, it came to light as a result of the attack, that the SolarWinds company had a total lack of focus on security. In fact, the company didn’t implement security measures until they were forced to in 2017 in order to remain compliant with new European privacy laws. In addition, they made egregious and common sense errors, like making the update server password “solarwinds123”. Even days after the attack, SolarWinds had still not taken down the corrupted code from their website.
”This is not ‘espionage as usual,’ even in the digital age. Instead, it represents an act of recklessness that created a serious technological vulnerability for the United States and the world. ”
— Brad Smith President, Microsoft
How to Secure Systems Against Software Supply Chain Attacks
Software supply chain attacks are only going to become more common as enterprise organizations rely more and more on third-party vendors. This doesn’t mean that organizations should abandon their software vendors and move everything in-house. That would be a virtually impossible feat, at an incredible expense and would still leave systems vulnerable. After all, software will always have bugs, no matter what.
However, what it does mean is that organizations need to change their mindset around security. It can no longer be considered something that is optional. Organizations need to seriously invest in their cybersecurity measures and adopt a defense-in-depth approach that provides layers of security. This means you must also secure network-connected endpoints that attackers will attempt to compromise after successfully gaining access to the network.
Dover’s CoreGuard® solution can provide an important line of defense to downstream endpoints or embedded systems. Working as an oversight system, CoreGuard watches the host processor, allowing it only to do what it was intended to do and nothing more. CoreGuard prevents the exploitation of software vulnerabilities and immunizes embedded systems against entire classes of network-based attacks, including zero-days.
CoreGuard’s base set of micropolicies stop the most common and severe types of attacks that bad actors use to gain access and take control of embedded systems, including buffer overflow, stack smashing, and code injection attacks. In addition, CoreGuard’s Confidentiality and Data Integrity micropolicies can be layered on top of the base set to stop data exfiltration and data modification attacks, which are often the attacker’s end-goal. With CoreGuard, you can significantly limit the scope and damage of software supply chain attacks by stopping an attacker’s ability to compromise network-connected endpoints.
To learn more, watch the recording of our webinar with Cadence Design Systems, Lessons Learned from SolarWinds.Watch Webinar
Function: Enforces protection on heap blocks in memory
Type of Attacks: Stops buffer overflow and overread attacks
Function: The Stack micropolicy enforces control flow integrity by protecting control data, including the return address, stored on the stack
Type of Attacks: Stops stack smashing attacks
Function: Establishes traditional Read/Write/Execute permissions for code and data, but with a fine-grained resolution
Type of Attacks: Stops code injection attacks
Function: Labels data either “confidential” or “public” and tracks the influence of that data as it flows through the system, ensuring confidential data never leaves the system without first being encrypted.
Type of Attacks: Prevents data exfiltration attacks
Function: Tracks the provenance of data as it flows through the system to ensure it came from a trusted input port. For example, an Information Integrity micropolicy rule may dictate that the system cannot write anything to external memory if it came over the internet.
Type of Attacks: Prevents unauthorized data modification